Windows 8 Metro app piracy and other concerns

The principal engineer for Nokia’s Windows Phone 7 and Windows Phone 8 devices has demonstrated, in rather frank detail, how to pirate Windows 8 Metro (new-style) apps, how to bypass in-app purchases, and how to remove in-game ads. These hacks aren’t exactly easy, but more worryingly they’re not exactly hard either.

On his blog (currently offline, here's a link to the Google cache), Justin Angel shows that turning a trial version of a Metro app into the full version – i.e. pirating an app – is scarily simple. It’s just a matter of downloading an open source app and changing an XML attribute from “Trial” to “Full.” Likewise, a quick change to an XAML file can remove an app’s ads.

Bypassing in-app purchases is a little trickier, involving some reverse engineering of some DLLs and decryption of database files, but Angel still makes it look fairly easy. Angel gives himself one million credits in Soulcraft, a role-playing game – something that would cost you the best part of a grand, if you performed a legitimate in-app purchase. Angel also demonstrates a way to bypass in-app purchases in WinJS (Metro/JavaScript) apps, by injecting scripts into IE10 (the rendering engine for WinJS apps).

Ultimately, all of these hacks represent ways of getting stuff for free. This is obviously bad news for developers, who probably don’t realise that by allowing trial downloads they are opening themselves up to piracy. In-app ads and purchases are massive revenue streams for developers, and yet we now see that it’s very easy to circumvent both.

You can protect these files with encryption – and indeed, some of them are protected – but that’s no good if you have access to the code that performs the encryption. As Angel says: “We have the algorithm used for encryption, we have the hash key and we have the encrypted data. Once we have all of those it’s pretty simple to decrypt anything.”

Angel notes that there are some security mechanisms in place that stopped him from directly editing app DLL and JS files, but, as we can see, that didn’t stop him from pirating apps or bypassing in-app purchases.

It’s easy to blame Microsoft for this, but really this is an issue that is intrinsic to all installed applications. The fact is, Windows 8 Metro apps are stored on your hard drive – and this means that you have access to the code and data. In general, every installed application is vulnerable to these kinds of attacks. Hex editors, save game editors, bypassing Adobe’s 30 day trials by replacing DLL files, pirating Windows 8 apps – these are all just different incarnations of the same attack vectors.

The only real solution is to provide some kind of server-side sanity checking: You hack the software from Trial to Full – but when you log in, the server knows that you haven’t bought the software, and so it reverts you back to Trial mode. You give yourself one million credits – but the server checks your purchase history, knows that you cheated, and so resets your credits back to zero. The problem with this route, of course, is that it requires you to be online – and you know how we feel about always-on DRM. Plus, it’s very easy to disable server-side checks with a little Hosts file hacking.

In short, Windows 8 Metro apps have been hacked, and it’s now just a matter of time until some enterprising developer creates a one-button tool that pirates trial apps, unlocks every in-app purchase, and removes in-app ads. There are certainly changes that Microsoft could make to shore up the security of Metro apps, but it would only delay the inevitable. Really, this is just a natural part of Windows 8′s evolution.